SOC 
SIEM 


What are use cases? 


The use cases are critical to identifying any of the early, middle, and end-stage operations of 
the adversary. A small abnormal event can be a clue to a larger attack. There also needs to 
be a playbook on how to respond. A use case can be technical rules or conditions applied on 
logs which are ingested into the SIEM. E.g. — malicious traffic is seen hitting critical servers of 
the infra, too many logins attempt in last 1 min etc. 


Best practises 


1. 


3. 
4. 


Ensure to have a clear list of your use cases handy always. 

The use cases need to be mapped to the MITRE ATT&CK phases so you can know how 
much the adversary succeeded in his objective. Tagging and mapping to the MITRE 
ATT&CK Matrix would help detection (what logs to be tapped into) and mitigation. Also 
helps attribution to an APT group. 

Each use case to have a clear priority based on your organisation. 

Each use case to have the log source which must be ingested into your SIEM. 


Why it is important to have a large set of use cases and have playbooks for them? 


1. 


Real cyber-attacks are complex. It is actually very hard for the attacker to be invisible to a 
SOC who has enabled the right set of use cases. 

Use cases are rules that trigger alerts. You need playbooks or instruction on how to 
respond to them, steps to analyse and mitigate. 

The process of creation of playbooks is very important. It helps a lot for you to be 
prepared for handling a cyber-attack. 


Below is a list of sample use cases. You can categorize it in multiple ways and refer to your 
SIEM-specific documentation to get the list of rules that come bundled. 


Windows 


e Server Shutdown/ Reboot 

e Removable media detected 

e Windows abnormal shutdown 

e Login attempts with the same account from different source desktops 
e Detection of Server shutdown-reboot after office hours 
e Administrative Group Membership Changed 

e Unauthorized Default Account Logins 

e Interactive use of service account 

e Remote access login - success & failure 

e Windows Service Stop-Restart 

e ACLSet on Admin Group members 

e Windows Account Enabled Disabled 

e Multiple Windows Account Locked out 

e Multiple Windows Logins by Same User 

e Brute force attempt from same source 


Logins outside normal business hours 

Logins to multiple user accounts from the same source 

Brute force attempt from same source with successful login 
Windows Account Created Deleted 

Windows Hardware Failure 

Failed Login to Multiple Destination from Same Source 
Administrative Accounts- Multiple Login failure 

Detection of user account added/removed in admin group 
Detection of system time changes (Boot time) 

Detection of use of default product vendor accounts 

User Deleted Within 24hrs of Being Created 

Critical service stopped on Windows Servers 

Windows Security Log is full 

Multiple Password Changes in Short time 

Windows group type was changed 

Audit Policy change 

Audit Log cleared 

Windows Security Log is full 

Detection of user account added 

Logon Failure-A logon attempt was made using an expired account 
High number of users created/ removed within a short period of time 
Outbound Traffic observed from Severs to Internet 

Failed Logins/Attempt with Disabled/Ex-Employee/Expired Accounts 
Windows File-Folder Delete 

Windows-File Folder Permission Changes 

High number of users created/removed within a short period of time 


Unix FTP File Import and Export Events 

Unix File system full 

Server shutdown 

Users Created /Deleted within short period 

Users Group Created /Removed within short period 


Unix-Login attempts with the same account from different source desktops 


Failed Logins 

Failed Logins with disabled accounts 

Unix FTP Login Access 

Unix multiple SFTP Connection 

Failed logins from root access 

Unix Multiple SU login failures 

Remote Logon Attempts using Root User on Production Node 
Sudo access from Non sudo users 


e Detection of use of default product vendor accounts 

e Adding or Removing users to the group “root” 

e Critical Service Stop 

e Unix-High number of login failure for the same account within a short time 
e Password Changed 

e Adding, removing and modifying cron jobs 

e SU login failures 

e Detection of change in syslog configuration 

e Detection of change in network configuration 


Firewall, Antivirus, IPS and VPN 


e Administrator Login Failure 

e Brute force with Successful Configuration Changes 

e Firewall Failover event 

e Successful connection from internet IP after repetitive blocks in firewall 

e Access attempts on unidentified protocols & port 

e Exploit Event followed by Scanning Host 

e Outbound access to invalid destination lps 

e Successful logon between Non-Business Hours 

e Firewalls reboot 

e Detection of user account/group modifications 

e User Added/Deleted to Firewall Database 

e Detection of insecure traffic like FTP, telnet, on critical servers 

e Detection of adding/deletion of a Firewall admin 

e Login Denied (Brute Force) 

e High number of Denied events 

e Configuration Change detected 

e The link to peer device is down either because of physical cabling issue or NSRP 
configuration issue 

e Network and Host Port Scan Attempts 

e Detection of Primary-Secondary Switch Over 

e Anadmin has allowed/removed access to the firewall from a particular IP 

e Detected P2P traffic 

e Alerting high CPU utilization on firewall 

e Firewall failed to allocate RAM memory 

e Detection of any kind of failure related to Standby FW 

e Top dropped traffic from DMZ, FW 

e Outbound Traffic observed on Important Ports 

e Successful Outbound Traffic to Blacklisted Threat IP Address 

e Multiple Failed Outbound Traffic to Blacklisted Threat IP Address 


Security Device — Checkpoint 


e Firewall critical alert observed 

e VPN configuration change observed 

e Administrator Login Failure detected 

e Successful logon between Non- Business Hours 
e Successful access from Suspicious Countries 

e Checkpoint Service restarts 

e Firewall Cluster/Gateway Configuration Change 
e CPU Utilization High 

e Checkpoint Policy Installed 

e High number of denied events 

e Smart-Defense Signature Based Alert 

e VPN Certificate Verification Failure 

e Configuration Change detected 

e Firewalls reboot 


Email — Example — Exchange 


e Top 10 users sending mails to external domains 

e Top 10 Email Receivers/Senders 

e Data Leakage Identified through 

e Large files send via mail 

e Malicious/Suspicious attachments identified 

e Email Usage Group IDs 

e Monitoring mails going out from the company domain to other domains after Office 
Hours 

e High Email Bandwidth utilization by individual users 

e Detection of Undelivered Messages 

e Mailbox Access by Another user 

e User sending a Message as another user 

e User Sending a Message on behalf another user 

e Detection of Users login to the Mailbox which is not their Primary Account 

e Detection of Auto Redirected Mails 

e Top 10 users sending mails internally 

e SMTP gateway sudden spike in Incoming mails 

e High number of rejected mails from single “from” address 

e Detection of Users login to the Mailbox which is not their Primary Account 

e Detection of Auto Redirected Mails 


Wireless/VPN 


e Rouge Network Traffic Detected 

e Top VPN Account Logged in from Multiple Remote Locations 
e Top VPN Account Logged in From VPN and on Local Network 
e Wireless unauthorized login attempts 


e Wireless authorization server is down 

e Anonymous login from unknown IP address 

e VPN Account logged in from multiple locations in short span of time, or from 
suspicious countries 

e Simultaneous Login from Multiple Locations for Single User 

e VPN Connection beyond 24 Hour 

e VPN Access from Internal IP Address 

e VPN access from overseas 

e Wireless AP rebooted 

e Wireless unsecure AP detected 

e VPN access from onshore team 

e VPN access and Access card on Onshore observed 


IPS — Example device — Cisco IPS 


e UNIX Password File Access Attempt 

e IPS High Alert 

e Possible Exploit of Vulnerability 

e Probable Port Scanning in the network 
e SQL Injection Attempt 

e Virus Traffic in the network 

e Signature Based Attacks 


e Access attempts on unidentified protocols & port 
e Malware Domain Access Report 

e Proxy Category based Summary Report 

e Malware IP Access Report 

e Potentially Unwanted Software access 

e Dynamic DNS Host 

e Malicious Sources/Malnets 

e Malicious Outbound Data/Botnets 

e Peer-to-Peer (P2P) 

e Proxy Avoidance 

e Remote Access Tools 

e Access from unusual User Agent 

e Post request to uncategorized sites after office hours 
e Unwanted Internet Access 

e Proxy configuration changes 

e Proxy failed login attempt 

e Content access violation 

e Anonymous proxy access 

e Hacker tool website access 


e Access attempts by BOTNET identified by HTTP Request header 
Oracle/DB 


e Oracle password expired 

e Critical command usage 

e Critical commands executed on the database during non-business hours 
e Oracle- Update or Insert Commands 

e Oracle user Created/Deleted 

e Multiple login failures observed for database 

e Database Schema Creation/Modification 

e Top Query Execution Failures 

e Monitoring login attempts on database 

e Use of default vendor accounts against policy 

e Database access during non-business hours 

e Login failures for sys/system or privileged accounts 

e Connection to production databases from disallowed network segments 


Router and Switches 


e Emergency router error messages 

e BGP Neighbour Relationship Status Change 
e Router-Power supply failure 

e Configuration Change 

e Critical messages observed from the SWITCH 
e Alert messages observed from the SWITCH 
e Detection of Antispam 

e File Dropped due to large size 

e Detection of application process proxy 

e Detection of land attack 

e Detection of Ping of death attack 

e Detection of new policy addition 

e Detection of policy violation 

e Virus traffic 

e Content filtering detected 

e Authentication failure/success 


Anti-Virus (AV) 


e AV Virus Detected 

e AV Detection of Backdoor traffic in the network 

e Removable Storage Identified 

e AV Malware Infection Identified (Not quarantined/cleaned/deleted/moved) 
e Multiple AV Malware Infection Identified from Same Host 

e Multiple Sources accessing the same Malware URL 


e Multiple Types of AV Malware Infection Identified from Same Host 

e Detection failure of Antivirus DAT update in end user machines 

e Detection of Worm outbreak in the network 

e Detection of Virus Outbreak 

e Attempt to stop the Ad hoc/daily scan schedules 

e Detection of Backdoor traffic in the network 

e Attempt to stop the AV Services 

e Attempt to stop the critical AV modules 

e AV identified the Rogue machines in the network 

e Detection of the scan which is stopped before it completes 

e Detection of the scheduled scan is stopped/paused (delayed) 

e Detection of the computer which is not protected with latest definitions 

e Detection of the new client software installed 

e Detection of the client software uninstalled 

e AV Malware Breakout Identified across multiple machines on same Subnet/ Different 
Subnet Multiple re-occurrences of same Infection identified from same machine (AL 
and Trend - Historical) 

e Multiple re-occurrences of unique Infection identify ed from same machine (AL and 
Trend — Historical) 

e Blacklist Domain/IP Addresses monitoring of traffic emerging to/from the Infected 
machine (AL and Trend — Real Time) 

e Brute Force/port or host scan/privilege elevation access attempt from the Infected 
machine (AL and Trend — Real Time) 

e Attempt to restart AV service or process, AV modules from Infected machine 

e Access to critical file share, network path, SSH or Remote RDP attempt from the 
Infected Host 


Uncategorized: 


e Default User Account Usage 

e Inactive User Accounts 

e After Hour VPN Assess Monitoring 
e Firewall Top Talkers 

e P2P Traffic 

e Distributed Host Port Scan 

e Distributed Network Host Scan 

e SYN Flood by IDS/Firewall 

e High Number of Denied Connections for a Single Host 
e Worm/Virus Outbreak Detected 

e Outbound/Inbound Network Sweep 
e AV Update Failed 

e Malware IP Access 

e Malware URL Access 


Hacking attempt on web portal 

Data Leakage 

Detection of BOTNET infection in Internal LAN 
Unauthorised access from Third Party or vendor networks 
Infected Host Activities 

Suspicious, Adware, Phishing and Hacking Activities 
Unwanted Software’s 

AV Malware Breakout Identified across multiple machines 
Monitor Development team’s access to Production systems 
Blacklisted IP 

Blacklisted IP Pass after multiple Firewall Block 

Blacklisted URL 

Data Overview Trend 

Outbound Traffic to Suspicious Countries 

Outbound Traffic to Suspicious port 

Outbound Traffic to Suspicious Services 

Terminated User Activity 

Malicious Traffic to Vulnerable Asset 

Communications to Bad Domains 

Communications to Blacklisted Domains/IP’s 

Data Transfer involved on Blacklisted Domains/IP’s 
Outbound traffic involving Database 

Cross Site Scripting 

Script Injection 

Malicious Activity 

Detection of FW Interface Status Changes/Failures 
Insecure Protocol Usage — Detection of insecure traffic like FTP, telnet, VNC on critical 
servers 

VPN Access from Outside Country 

Suspicious VPN Login Attempts 

Detection of service stop on ESX servers 

Detection of multiple user failed logins on ESX servers from the same source 
Detection of ESX server shutdown/restart 

Detection of virtual machine start/stop/resume/reboot 
Detection of addition/removal of a host on vCenter 
Detection of virtual machine creation/removal on vCenter 
Probable XSS attack observed 

Probable Directory Traversal attack observed 

Suspicious HTTP methods observed 

HTTP Request Other Than GET, POST, HEAD and OPTIONS 
Probable SQL Injection attack observed 

Web Attack- Vulnerability scanning using Nessus 


